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Abstract 

We present a proxy signature scheme using bilinear pairings that provides 
effective proxy revocation. The scheme uses a binding-blinding technique 
to avoid secure channel requirements in the key issuance stage. With this 
technique, the signer receives a partial private key from a trusted authority 
and unblinds it to get his private key, in turn, overcomes the key escrow 
problem which is a constraint in most of the pairing-based proxy signature 
schemes. The scheme fulfills the necessary security requirements of proxy 
signature and resists other possible threats. 

Keywords: proxy signature, proxy revocation, bilinear pairings, key escrow. 



1 Introduction 

Proxy signature is a digital signature where an original signer delegates his signing 
capability to a proxy signer, and then the proxy signer performs message signing 
on behalf of the original signer. The notion of proxy signature has been evolved 
over a long time, 16 years now pp. However, the cryptographic treatment on proxy 
signature was introduced by Mambo et al [2] in 1996. They classified the delegation 
capability in three types, namely full delegation, partial delegation and delegation 
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by warrant. In full delegation, an original signer directly gives his private key to 
a proxy signer and using it the proxy signer signs the document. The drawback 
of proxy signature with full delegation is that the absence of a distinguishability 
between the original signer and the proxy signer. In partial delegation, the original 
signer derives a proxy key from his private key and hands it over to the proxy 
signer as a delegation of signing rights. In this case, the proxy signer can misuse 
the delegation of signing rights, because partial delegation does not restrict the 
proxy signer's signing capability. The weakness of full and partial delegations are 
eliminated by partial delegation with warrant, where a warrant explicitly states the 
signers' identity, delegation period and the qualification of the message on which 
the proxy signer can sign, etc. Once proxy delegation is given, the revocation is 
an important issue in the proxy signature scheme. For instance, the original signer 
key is compromised or any misuse of delegation of signing rights is noticed. It may 
so happen that the original signer wants to terminate his delegation power before 
the expiry e.g., the manager of a company has come back from his trip before time 
that he was scheduled for. 

Desirable security properties of proxy signatures have evolved over this period and 
a widely accepted list of required properties follows: 

- Strong unforgeability: A designated proxy signer can create a valid proxy 
signature on behalf of the original signer. But the original signer and other 
third parties cannot create a valid proxy signature. 

- Strong identifiability: Anyone can determine the identity of the correspond- 
ing proxy signer from the proxy signature. 

- Verifiability: The verifier can be convinced of the original signer's agreement 
from the proxy signature. 

- Distinguishability: Proxy signatures are distinguishable from normal signa- 
tures by everyone. 

- Strong undeniability: Once a proxy signer creates a valid proxy signature, he 
cannot deny the signature creation. 

- Prevention of misuse: The proxy signer cannot use the proxy key for other 
purposes than it is made for. That is, he cannot sign message with the proxy 
key that have not been defined in the warrant. If he does so, he will be 
identified explicitly from the warrant. 

After Mambo et al.'s |2] scheme, several schemes have been proposed [3], [I], [5], 
[BJ, [7]. However, most of the schemes lack proxy revocation mechanism. Recently, 
the bilinear pairings, namely the Weil pairing and the Tate pairing of algebraic 
curves have been found important applications [8], [9], [10] in identity (ID) based 
cryptography. The advantage of an ID-based cryptography [11] is that it avoids 
public key certification, the public key of a user is his identity, e.g., e-mail, social 



security number, etc. There are a few proxy signature schemes [T2], [T3], [2], [IS] 
based on bilinear pairings; however, the schemes lack the key escrow problem and 
have not addressed the proxy revocation mechanism. In this paper, we present a 
proxy signature scheme using bilinear pairings that provides effective proxy revo- 
cation mechanism. Our scheme is not exactly ID-based, it is a variant of ID-based 
schemes. The scheme does not require secure channel in the key issuance stage 
and avoids the key escrow problem. 

The rest of the paper is organized as follows. Section 2 discusses some preliminar- 
ies. Section 3 presents the scheme. Section 4 analyzes the security and performance 
of the scheme. Finally, we conclude the paper in Section 5. 

2 Preliminaries 

2.1 Bilinear Pairings 

Suppose G\ is a cyclic additive group of prime order q, generated by P, and G2 
is a cyclic multiplicative group of the same order q. A map 6 : G\ x G\ — * G2 is 
called a bilinear mapping if it satisfies the following properties: 

- Bilinear: e(aP, bQ) = e(P, Q) ah for all P, Q G G x and a, 6 G Z* ; 

- Non-degenerate: There exist P,Q G G\ such that e(P, Q) ^ 1 ; 

- Computable: There is an efficient algorithm to compute e(P, Q) V P, Q G G\. 
In general, G\ is a group of points on an elliptic curve and G2 is a multiplicative 
subgroup of a finite field. 

2.2 Computational Problems 

Definition 1. Discrete Logarithm Problem (DLP) : Given Q,R G G\, find an 
integer a G Z* such that R = aQ. 

Definition 2. Decisional Diffie-Hellman Problem (DDHP) : Given (P, aP, bP, cP) 
for a,b,c G Z* determine whether c = ab mod q. The advantage Adv of any 
probabilistic polynomial-time algorithm A in solving DDHP in G\ is defined as: 

Adv^gf = [Pr[A(P, aP, bP, cP) = 1] - Pr[A(P, aP, bP, abP) = 1] : a, 6, c G Z*] . 

For every probabilistic polynomial-time algorithm A, Adv^ is negligible. 

Definition 3. Computational Diffie-Hellman Problem (CDHP) : Given (P, aP, bP) 
for a, b G Z*, compute a6P. 

The advantage of any probabilistic polynomial-time algorithm A in solving CDHP 
in Gi is defined as: 

Adv^Jf = [Pr[^(P, aP, bP, abP) = 1 : a, 6 G Z*] . 

For every probabilistic algorithm ^4, Adv^^ is negligible. 

Definition 4. Gap Diffie-Hellman Problem (GDHP): A class of problems where 
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DDHP is easy while CDHP is hard. 

Definition 5. Weak Diffie-Hellman Problem (WD HP) 
compute aQ. 



Given (P, Q, aP) for a e Z*, 



3 The Proposed Scheme 

To avoid the original signer's forgery and prevention of delegation power misuse, 
the proxy-protected proxy signature [3] is a secure approach. Our scheme is based 
on proxy-protected notion and uses the merits of partial delegation with warrant^. 
The participating entities and their roles in the proposed scheme are defined as 
follows: 

• Private Key Generator (PKG): A trusted authority who receives signer's 
identity (ID) along with other parameters, checks validity of ID and issues 
partial private key to the signer corresponding to the ID. 

• Original Signer: Entity who delegates his signing rights to a proxy signer. 

• Proxy Signer: Entity who signs the message on behalf of the original signer. 

• Verifier: Entity who verifies the proxy signature and decides to accept or 
reject. 

The scheme has five phases: Setup, KeyGen, ProxyKeyGen, ProxySignGen and 
ProxySign Verify. The phases work as follows. 
[ Setup ] 

It takes as input a security parameter; and outputs system parameters params and 
master-key of PKG. The params includes a cyclic additive group G\ of prime order 
q generated by P, a cyclic multiplicative group G 2 of prime order q, a bilinear map 
e : Gx x G x -> G 2 , hash functions H x : {0, 1}* x Gx x G x -> G x , H 2 : {0, 1}* -> Gx, 
h : {0, 1}* x d x Gi — > Z*, and public key of PKG. The PKG selects a master-key 
s E Z* and computes public key as Pub PKG = sP. The PKG publishes params = 
(Gx, G 2 , e, q, P, Pub PKG , Hx, H 2 , h) and keeps s secret. 

[ KeyGen ] 

It takes user chosen parameters and params as inputs; and outputs user private 
key. The entire phase consists of a partial private key issuance and a private key 
generation stages. The stages use a binding-blinding technique to avoid the key 
escrow problem and to eliminate the secure channel requirements. The binding- 
blinding technique works as follows: 

- The user chooses two secret binding factors, calculates the binding param- 
eters and sends them to the PKG over a public channel along with his/her 
identity. 

1 A warrant consists of original signer and proxy signer identities, qualification of the message 
on which the proxy signer can sign, validity period of the delegation, etc. 
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- As the communication channel between the user and the PKG is a public 
channel, a dishonest party can construct his/her preferred binding parameters 
using the targeted user's identity and sends the binding parameters along 
with user's identity before the user submits a request for partial private key. 
To avoid this type of attack, the PKG first sends a message to the email-id_| 
(email-id acts as the user identity) and asks a confirmation from the email-id 
owner. If the email-id owner confirms his/her request for a partial private 
key, then the PKG proceeds to the next step. 

- The PKG checks the validity of binding parameters. Upon successful valida- 
tion of the parameters, the PKG computes signer partial private key. Then, 
the PKG sends the partial private key to the user in a blinding manner over 
the public channel. 

PartialPrivateKey issuance: 

- User U\ computes his own public key Pub x = H 2 (ID\). 

- U\ picks two secret binding factors a x , b x e Z* and computes X x = a\Pub\, 
Y x = a x b x Pub x , Z x = b\P and W x = a x b x P. Then he sends (X x , Y\, Z x , 
W\, ID X ) to the PKG over a public channel. 

- Once the ID X is correct (we assume that identity of the user is his/her email- 
id and unregistered identity attack can be avoided by the above mentioned 
email confirmation procedure), the PKG computes Pub x = H 2 (ID X ) and 
verifies the validity of ID X by whether e(Y\, P) = e(X x , Z x ) = e(Pub x , W x ). 

- The PKG computes U x s partial private key as D x = sY x and creates a 
registration-token Reg x = sZ x corresponding to ID X . Then, PKG publishes 
(Reg x , ID X ) in a public directory and sends D x to U x over a public channel. 

We note that the PKG controls the public directory and checks every request before 
issuance of any partial private key. If the identity is present in the directory, the 
PKG denies the request, thereby the registration-token replacement is not possible 
by any other party. 

PrivateKey generation: 

- On receiving the partial private key D x , the signer U x checks its correctness 
by whether e(D x ,P) = e{Y x , PubpKc)- If P > \ is valid, U x unblinds it and 
generates his private key as S x = a x D\. 

2 At this juncture, we assume that the email-id acts as the user identity; however, other identity 
could play the same role if it avoids the unregistered identity attack. We note that it is a difficult 
task to avoid the unregistered identity attack for any types of identity if there is no off-line (secure 
channel) interaction between the PKG and the user, in turn it opens a prominent future scope 
of our proposed work. 



Original signer private key: Let ID be the identity of an original signer. The orig- 
inal signer chooses binding secret factors a Q and b Q and runs the KeyGen algorithm 
to get his partial private key as 

D <— PartialPrivateKey(X , Y , Z Q , W Q , ID Q ). 
After validating D Q , the original signer generates his private key as S = a~ l D Q . 

Proxy signer private key: Let ID P be the identity of the proxy signer. The proxy 
signer chooses the binding factors a p and b p and runs the KeyGen algorithm to get 
his partial private key as 

D p <— PartialPrivateKey(X p , Y p , Z p , W p , ID p ). 
After validating D p , the proxy signer generates his private key as S p = a~ x D p . 
[ ProxyKeyGen] 

- The original signer and proxy signer agree on a warrant m w . 

- The original signer computes U Q = S + b H 1 (m w , Pub Q , Pub p ), ip = b Q P and 
sends the tuple (m w , U Q , ip , Pub a ) to the proxy signer over a public channel 
as the delegation capability. 

- The proxy signer checks whether 

e(U a , P) = e(V> , H 1 (m w , Pub Q , Pub p ))e(Pub , Reg Q ). 

- If the delegation capability is valid, the proxy signer computes proxy key as 

V p = U + S p + bpHi(m w , Pub Q , Pub p ). 

[ ProxySignGen ] 

To sign a message m, the proxy signer computes the following steps: 

- Select a random r G Z* and computes R = rP. 

- Compute a = h(m, R, Pub p ) and ip p = b p P. 

- Compute V = (r + a)~ l V p . 

The proxy signature on m is the tuple (m w , m, R, V, ip , ip p , Pub Q , Pub p ). 
[ ProxySignVerif y ] 

The proxy signature (m w , m, R, V, ip ,^>p, Pub Q , Pub p ) is valid if and only if 

e{R+h{m,R, Pub p )P,V) 

= e(ip + ip p , Hi{m w , Pub D , Pub p ))e(Pub , Reg )e(Pub p , Reg p ). 

4 Analysis of the Scheme 

4.1 Correctness of proxy signature verification 

e(R + h(m,R, Pub p )P,V) 

= e((r + him, R, Pub p ))P, (r + a)~ x V p ) 



= e((r + a)P, (r + a^Vp) 

= e(P, U Q + S p + bpH^rriw, Pub Q , Pub p )) 

= e(P, S p + S + (b p + b )Hi{m w , Pub D , Pub p )) 

= e(P, S p )e(P, S )e(P, (b p + 6 )#i(m w , Pub Q , Pub p )) 

= e(Pub D , Reg )e(Pub p , Reg p )e((b + b p )P, Hi(m w , Pub D , Pub p )) 

= e(Pub Q , Reg )e(Pub p , Reg p )e(ij + ip p , H^m^ Pub Q , Pub p )) 

4.2 Security Analysis 

In this section, we show that the proposed scheme satisfies the security properties 
of a proxy signature, mentioned in Section 1. In addition, the scheme withstands 
some other possible threats. 

The scheme can withstand the strong unforgeability security property. 
To create a valid proxy signature, one should need the original signer and proxy 
signer private keys. Though the adversary can intercept signer partial private key 
Di ( i.e., saibiPubi), he cannot construct the private key Si (i.e., sbiPubi) without 
the knowledge of a iy because it is a WDHP (definition 5) which is assumed to be 
a hard problem. As our scheme is proxy protected, i.e., the proxy signer has to 
use his private key and original signer's delegation power to sign a message, thus, 
the original signer is also prohibited from forging a valid proxy signature. More- 
over, the PKG cannot frame the signers' with the knowledge of binding parameters 
(Xi, Yi, Zi, Wi), as extracting the binding factors a*, b{ from the binding parameters 
is as hard as CDHP (definition 3). 

The scheme can resist the identifiability , undeniability and distinguishability secu- 
rity properties. 

A valid proxy signature of a message m is the tuple (m w , m, R, V, ip , ip p , Pub a , 
Pubp). The public keys Pub Q , Pub v and warrant m w are the straightforward wit- 
nesses (i.e., identities) of the signers. In addition, a verifier will come to know the 
agreement between original and proxy signers from m w . 

From the correctness of the proxy signature, given in Section 4.1, it is clear that the 
proxy signer cannot deny his signature creation. The verification of a valid proxy 
signature needs the proxy signer's public key, in turn, proves that the signature was 
created by the proxy signer. Further, the PKG can also prove the identity of the 
proxy signer, as the tuple (Reg p , ID p ) in the PKG public directory is a supporting 
identification of a proxy signer and is also required in the proxy signature verifi- 
cation phase. Any verifier will receive the proxy signature that contains warrant 
m w and the public key of signers, by which the verifier can easily distinguish the 
proxy signature from the normal signature. 
The scheme is secure against misuse of the proxy delegation. 
In the Proxy key generation phase, the original signer signs the tuple (m w , Pub Q , 
Pubp) and gives it to the proxy signer as his delegation capability. The proxy signer 
signs a message with the proxy key that is being created by his private key and 
original signer's delegation capability. The qualification of message and limitation 
of proxy is clearly defined in m w and the delegation is made for the designated 
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proxy signer only. If the proxy signer misused the delegation capability, the proxy 
signer will be detected by any verifier from m w . The original signer's misuse is 
also prevented because he cannot create a valid proxy signature against the name 
of the proxy signer. 

Apart from the above security properties, the scheme withstands the following pos- 
sible threats. 

Threat 1. Registration-token replacement : The PKG creates registration-token 
corresponding to each registered signer and publishes it along with signer-ID in a 
public directory, which is controlled by PKG only. If a request comes from signer 
identity ID* for issuance of a partial private key, the PKG first checks whether 
ID* is in the public directory. If it is found in the public directory, the PKG 
rejects the request, otherwise executes the KeyGen algorithm for ID* . Thus, the 
registration-token replacement is not possible by any party (the PKG itself can 
replace the registration-token, but we assume that the signer trusts PKG for not 
to do it). 

Threat 2. Man-in-the-middle attacks : In our scheme, the communication channel 
of the key issuance stage is a public channel, thus an attacker may try to calculate 
the private key or binding factors of a signer by intercepting the binding parame- 
ters and partial private key. On intercepting the binding parameters, the adversary 
can formulate the following problem : Given params, binding parameters (aiPubi, 
aibiPubi, biP , OihiP , IDi) and partial private key Di (i.e., saibiPubi); Compute 
private key Si (i.e. sbiPubi) or binding factors (ai, bi). To solve this problem, one 
has to solve either the CDHP or the WDHP, which is assumed to be computation- 
ally hard. 

Threat 3. ONE partial private key — > MANY private keys : The scenario of gener- 
ating more than one private key from a partial private key is nor possible, because 
the private key Si (i.e. sbiPubi) and the registration-token Regi are linked by the 
secret binding factor bi. If a signer generates another private S* from Si and signs 
a message by S*, then the verification of the signature fails because the change 
from Si to S* is not reflected in Regi. Thereby, the signer cannot perform this 
type of attempt without being detected. 

Theorem 1. The proxy signature scheme is said to be secure against adaptive 
chosen-massage attacks under random oracle model if no polynomially bounded ad- 
versary (ink) has non-negligible advantage (in k). 

Proof: The proof of the theorem is ascertained by the following challenger-adversary 
game. 

Setup: A challenger C takes a security parameter k and runs the Setup phase as 
mentioned in Section 3. Then C returns the resulting system parameters params 
to A and keeps master-key s with itself. 

Queries: The adversary A issues adaptively the queries qi, q 2 , ■ • • , q m in any order 
for the following: 

ProxyKeyGen query on Pubj, where j — 1, • • • , m: 

C runs the ProxyKeyGen phase and generates proxy key Vj using Sj and bj corre- 



sponding to Pubj, and sends it to A. 
ProxySignGen query on (Pubj, M'): 

C runs the ProxyKeyGen phase and generates the proxy key Vj. Then, C signs the 
message M' and returns the proxy signature (u>, M', R', V(M'), i/j , ipj, Pub a , Pubj) 
to A. 

Guess: A outputs a proxy signature for message M* , where M* did not appear 
in the ProxySignGen query. 

Result: A wins if his produced proxy signature on M* is valid. The advantage of 
A in attacking the scheme is defined to be the probability that A produces a valid 
proxy signature in the game. We say that our scheme is secure against adaptive 
chosen-message attacks under random oracle model if no polynomially bounded 
adversary has non-negligible advantage in this game. 

4.3 Performance 

Proxy revocation : The revocation of delegation capability (i.e., proxy revoca- 
tion) is an important concern in any proxy signature scheme. It is observed that 
the schemes [12], [13], [II], [IS] have not addressed the proxy revocation issues, 
which is a practical requirement. In our scheme, proxy revocation can be easily 
done by revoking the registration-token from the PKG's public directory. If the 
original signer wants to revoke his delegation of signing rights, he sends a revoke- 
request tuple (M r , m w , Rev, Pub a , Pub p , ip ) to the PKG and proxy signer, where 
Rev = S Q + b a Hi(M r , Pub Q , Pub p ) and M r states the identity of the signer along 
with the reason for proxy revocation. The PKG first checks the authenticity and 
validity of the revoke-request and if the request is valid then PKG revokes the 
tuple (Reg Q , ID a ) and (Reg p , ID p ) from the public directory. We note that the 
proxy signer will not object if the PKG removes (Reg p , ID P ) without his consent 
(the original consent is with PKG), because if the delegation capability is no longer 
authorized, the delegated proxy signer is no longer required. The PKG validates 
the revoke-request as follows: 

e(Rev, P) = e(S Q + b Hi(M r , Pub , Pub p ), P) 

= e(sb Pub + 6 ifi(M r , Pub Q , Pub p ),P) 

= e(Reg Q , Pu& )e(iJi(M r , Pub Q , Pub p ),ip ) 

Key escrow : In our scheme, the PKG issues a PartialPrivateKey to the signer 
and with this the signer computes his private key. The PKG is not having knowl- 
edge of signer private key. To construct a private key from the partial private key, 
one has to know the secret binding factor or has to solve DLP. As the binding fac- 
tor is retained with the signer only, other party can not obtain signer private key 
because solving DLP is a hard problem. Thus, our scheme avoid the key escrow 
problem, which occurs in the schemes [12], [13], [T3], [T5] 

No need of secure channel : To eliminate the secure channel in the key issuance 
stage, we used a binding-blinding technique where the signer requests for a par- 
tial private key from the PKG. We considered a simplest procedure to verify the 



genuineness of signer's identity while partial private key issuance. After validat- 
ing the signer request, the PKG issues a partial private key in a blinded manner. 
Finally, the signer unblinds the partial private key to get his private key. This 
binding-blinding technique avoids the secure channel in the key issuance stage. 



5 Conclusion 

We proposed a proxy signature scheme using bilinear pairings that provides effec- 
tive proxy revocation. The scheme uses a binding-blinding technique to eliminate 
the secure channel requirements in the key issuance stage. We considered a mech- 
anism to avoid the unregistered identity attacks when identity is user's email-id, 
though the mechanism does not provide a generic solution for other types of iden- 
tities. We leave this problem as a future scope of the proposed work. Our scheme 
is not exactly ID-based scheme; however, it avoids the key escrow problem, which 
remains constraint in most of the existing pairing-based proxy signature schemes. 
We showed that the scheme satisfied the security requirements of a proxy signature 
and also withstood other possible threats. 
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